0

I am working in ColdFusion 11 with apache web server in windows hosting I have not more knowledge about basic authenticate and so I have little bit confuse about this

  1. why does basic authentication type store password in .htpasswd file so not necessary to store database?
  2. how to redirect request HTTP to https before entering in password prompt?

.htaccess file code which is working fine first authenticate completely then this redirect on HTTP to https but I want to set HTTP to https before entering a password here my httpd.config file virtual host code

<VirtualHost  112.192.12.16>
    DocumentRoot C:/Apache24/htdocs/enovis53
    ServerName test.example.com
    ErrorLog logs/enovis-inc.com-error_log
    CustomLog logs/enovis-inc.com-access_log common
</VirtualHost>

my .htaccess file code 

AuthName "Example CLMS Production (v5.3.0.0)"

AuthType Basic
AuthUserFile "C:\Apache24\htdocs\enovis53\.htpasswd"
require valid-user

if anybody knows this then guide me I don't know this right thing to ask community all suggestion is acceptable thanks in advance

vinny
  • 128
  • 1
  • 12

1 Answers1

1
  1. why does basic authentication type store password in .htpasswd file so not necessary to store database?

This is determined by AuthBasicProvider

Syntax: AuthBasicProvider provider-name [provider-name] ...
Default: AuthBasicProvider file

The AuthBasicProvider directive sets which provider is used to authenticate the users for this location. The default file provider is implemented by the mod_authn_file module.

So in your case, no provider is defined, and the default (file) is applied. If you want another provider, e.g. some db, specify dbm, ldap, ...

  1. how to redirect request HTTP to https before entering in password prompt?

Usually, some directive is applied unconditionally, unless restricted somehow. To have the password requested only when HTTPS is active, you may try to enclose the Auth directives or at least the Require inside an If

<If "%{HTTPS} == 'on'">
    AuthName "Example CLMS Production (v5.3.0.0)"
    AuthType Basic
    AuthUserFile "C:\Apache24\htdocs\enovis53\.htpasswd"
    require valid-user
</If>

But now, all content is accessible without password, when requested via http://test.example.com. Don't forget to force https!

Unrelated, but note the security warning from AuthUserFile

Security

Make sure that the AuthUserFile is stored outside the document tree of the web-server. Do not put it in the directory that it protects. Otherwise, clients may be able to download the AuthUserFile.

Olaf Dietsche
  • 72,253
  • 8
  • 102
  • 198
  • thanks, Olaf my knowledge have much clear about basic authentication.but this code does not work ....If>give other solution so I will Fix it.thank advance – vinny Apr 19 '17 at 12:32
  • @vinny I missed the quotes around `'on'`, please try again. – Olaf Dietsche Apr 19 '17 at 12:45
  • ok, this is work for me. and ask more question how does get wide knowledge about htacess file and rule? – vinny Apr 19 '17 at 13:50
  • @vinny This is like any knowledge, it comes with time. Answering questions here, and reading documentation at `https://httpd.apache.org/docs/current/`, of course. It also helps just trying things in a local Apache installation, e.g. WAMP or XAMPP. – Olaf Dietsche Apr 19 '17 at 14:45
  • thank you for helping me improve my knowledge and solve my problem , all things working as expected but my internet explorer does not redirect HTTP to HTTPS any idea how does it work? – vinny Apr 21 '17 at 08:03
  • Without details, nobody can know, just ask another question. If you have access to the main/virtual host config, this answer http://stackoverflow.com/a/27976877/1741542 seems the most elegant. If you must do it through .htaccess take one of the many examples here on Stackoverflow, e.g. http://stackoverflow.com/search?q=%5B.htaccess%5D+%5Bhttps%5D+redirect. – Olaf Dietsche Apr 21 '17 at 09:41
  • There are also examples at Apache's wiki, e.g. https://wiki.apache.org/httpd/RedirectSSL and https://wiki.apache.org/httpd/RewriteHTTPToHTTPS – Olaf Dietsche Apr 21 '17 at 09:44